* Wed Apr 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-124
- Add more restriction on entrypoint for unconfined domains.
This commit is contained in:
parent
578b67080c
commit
28cc160db1
@ -16174,7 +16174,7 @@ index 8416beb..19d6aba 100644
|
||||
+ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
|
||||
+')
|
||||
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
|
||||
index e7d1738..3ed4189 100644
|
||||
index e7d1738..6ac60c3 100644
|
||||
--- a/policy/modules/kernel/filesystem.te
|
||||
+++ b/policy/modules/kernel/filesystem.te
|
||||
@@ -26,14 +26,19 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
|
||||
@ -16308,6 +16308,19 @@ index e7d1738..3ed4189 100644
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -301,9 +322,10 @@ fs_associate_noxattr(noxattrfs)
|
||||
# Unconfined access to this module
|
||||
#
|
||||
|
||||
-allow filesystem_unconfined_type filesystem_type:filesystem *;
|
||||
+allow filesystem_unconfined_type filesystem_type:filesystem all_filesystem_perms;
|
||||
|
||||
# Create/access other files. fs_type is to pick up various
|
||||
# pseudo filesystem types that are applied to both the filesystem
|
||||
# and its files.
|
||||
-allow filesystem_unconfined_type filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;
|
||||
+allow filesystem_unconfined_type filesystem_type:{ file } ~entrypoint;
|
||||
+allow filesystem_unconfined_type filesystem_type:{ dir lnk_file sock_file fifo_file chr_file blk_file } *;
|
||||
diff --git a/policy/modules/kernel/kernel.fc b/policy/modules/kernel/kernel.fc
|
||||
index 7be4ddf..9710b33 100644
|
||||
--- a/policy/modules/kernel/kernel.fc
|
||||
@ -17578,7 +17591,7 @@ index e100d88..991e1a5 100644
|
||||
+')
|
||||
+
|
||||
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
|
||||
index 8dbab4c..96d9a91 100644
|
||||
index 8dbab4c..15c063c 100644
|
||||
--- a/policy/modules/kernel/kernel.te
|
||||
+++ b/policy/modules/kernel/kernel.te
|
||||
@@ -25,6 +25,9 @@ attribute kern_unconfined;
|
||||
@ -17865,7 +17878,23 @@ index 8dbab4c..96d9a91 100644
|
||||
########################################
|
||||
#
|
||||
# Unlabeled process local policy
|
||||
@@ -409,4 +496,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
|
||||
@@ -399,14 +486,39 @@ if( ! secure_mode_insmod ) {
|
||||
# Rules for unconfined acccess to this module
|
||||
#
|
||||
|
||||
-allow kern_unconfined proc_type:{ dir file lnk_file } *;
|
||||
+allow kern_unconfined proc_type:{ file } ~entrypoint;
|
||||
+allow kern_unconfined proc_type:{ dir lnk_file } *;
|
||||
|
||||
-allow kern_unconfined sysctl_type:{ dir file } *;
|
||||
+allow kern_unconfined sysctl_type:{ file } ~entrypoint;
|
||||
+allow kern_unconfined sysctl_type:{ dir } *;
|
||||
|
||||
allow kern_unconfined kernel_t:system *;
|
||||
|
||||
-allow kern_unconfined unlabeled_t:dir_file_class_set *;
|
||||
+allow kern_unconfined unlabeled_t:{ dir lnk_file sock_file fifo_file chr_file blk_file } *;
|
||||
+allow kern_unconfined unlabeled_t:file ~entrypoint;
|
||||
allow kern_unconfined unlabeled_t:filesystem *;
|
||||
allow kern_unconfined unlabeled_t:association *;
|
||||
allow kern_unconfined unlabeled_t:packet *;
|
||||
|
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 123%{?dist}
|
||||
Release: 124%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -602,7 +602,10 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Apr 14 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-123
|
||||
* Wed Apr 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-124
|
||||
- Add more restriction on entrypoint for unconfined domains.
|
||||
|
||||
* Tue Apr 14 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-123
|
||||
- Allow abrtd to list home config. BZ(1199658)
|
||||
- Dontaudit dnssec_trigger_t to read /tmp. BZ(1210250)
|
||||
- Allow abrt_dump_oops_t to IPC_LOCK. BZ(1205481)
|
||||
|
Loading…
Reference in New Issue
Block a user